Friday, September 26, 2008

Password recovery site could pose security risk - - 26 Sep 2008

All it took for a hacker to break in and view vice presidential candidate Sarah Palin's Yahoo e-mail account last week were the answers to three questions - her zip code, birth date and where she met her spouse.

Once into her account, the hacker copied her e-mail address book, and several e-mails and photos and posted them onto the Internet, where the contents were picked up and distributed by many Web sites and newspapers.

So how hard would it be for a similar hack to be done at Lehigh?

Not that hard, a computer security expert said, if the security questions the users set had obvious answers.

Students who forget their passwords can visit, which asks users to answer three custom security questions that were previously set by the students. The private security questions can be seen with as little as the login name of the account.

Computer science professor and security expert Daniel Lopresti said the current system, which allows an unlimited number of guesses and even tells you which answers were incorrect, could be broken through educated guessing, or writing a computer program.

For example, Lopresti said that many apparently private questions, such as a favorite color or favorite baseball team, often only have a few plausible answers and can be easily guessed.

The security system could be made more secure, Lopresti said, by limiting the number of guesses to a few per hour and not telling users which security questions were answered incorrectly.

More security, however, could frustrate users and would be less convenient.

"If it were much more secure, it would probably annoy a lot of other people, but security is always a trade-off," Lopresti said.

Guessing private questions to break into e-mail accounts isn't anything new. Many believe Paris Hilton's T-Mobile account was hacked in 2005 by supplying only basic information and the name of her dog.

But accounts should be safe from any guessing attempts as long as the users chooses private, unknown questions, said Library and Technology Services Security Officer Blair Bernhardt.

"There's no such thing as 100 percent protection," Bernhardt said. "It's a question of how much an individual protects themselves through the security question."

Berhnardt said by choosing more personal questions that no one else would know, users can be adequately protected, even if there is no limit on the number of guesses a user can make.

But Lopresti said all it would take is a single weak password to compromise Lehigh's system. A hacker could look through all the security questions of high-ranking administrators and then only try to break into the least secure account, he said.

Lopresti added that usually more important accounts, such as those held by top administrators, are more secure because the people who created them are better-trained in password security.

LTS does not limit the number of attempts at guessing, Berhnardt said, because it could inadvertently lock out legitimate users who had forgotten their password.

"If it turned out to be a major issue and if there was a need for this we would probably consider it," Berhnardt said of the number of guesses.

Attempting to break into any user's account is illegal, Bernhardt said, and is punishable by both the school and law enforcement officials.

By Chris Knight

No comments: